Patches and exploits. Watching threats develop in the dark web. Spyware vendors added to the US Entity List. WhatsApp risk. And notes from the hybrid war.

Dave Bittner: Vulnerabilities are identified and patched in Citrix Netscaler products and Adobe Coldfusion. The banking sector should be monitoring the dark web for leaked credentials and insider threats. Spyware vendors are added to the US Entity List. WhatsApp accounts may be at risk. Verizon’s Chris Novak shares insights on Log4j from this year’s DBIR. Our guest is Candid Wüest of Acronis discussing the findings of their Year-end Cyberthreats Report. Skirmishes in the cyber phases of Russia's war. And how do you demobilize cyber forces (especially the auxiliaries) once the war is over?

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, July 19th, 2023.

Five vulnerabilities identified and patched in Citrix Netscaler products and Adobe Coldfusion.

Dave Bittner: According to a recent report from ArsTechnica, Adobe ColdFusion and Citrix NetScaler products have been found to have newly exploited vulnerabilities, prompting both vendors to urgently address the issue. The NetScaler ADC and NetScaler Gateway products are impacted by vulnerabilities, as well as Adobe's ColdFusion.

Dave Bittner: In response to these vulnerabilities, Adobe and Citrix have released updates to fix the issues. However, it appears that Adobe's fix for one specific vulnerability in ColdFusion may not be complete. Research organization Rapid7, who discovered this vulnerability, reported that the fix provided by Adobe on July 11 is still susceptible to a modified exploit in the latest version of ColdFusion released on July 14.

Dave Bittner: In an interesting twist, cybersecurity research organization Project Discovery accidentally published a zero-day vulnerability for Adobe ColdFusion before Adobe had a chance to provide a patch. It seems that Project Discovery misunderstood which vulnerability they were addressing in their blog post. Once Adobe released a fix for the issue, Project Discovery took down the initial blog post and republished it after the Adobe fix was available.

Dave Bittner: The good news is that these vulnerabilities in Adobe ColdFusion and NetScaler have now been patched. However, Rapid7 has cautioned that these vulnerabilities are already being actively exploited in the wild while organizations are working to update their systems.

Report: Cybersecurity teams in the banking sector should be monitoring the dark web for leaked credentials and insider threats.

Dave Bittner: SearchLight Cyber has released a report on “Dark web threats against the banking sector.” It details dark web activity targeting financial institutions. The report finds that the vast majority of activity is centered around initial access brokers who sell access to criminal third-parties. As SearchLight explains, “They don’t orchestrate attacks themselves but their specialization in gaining network access is relied on by other cybercriminals who either don’t have the skills to gain access or prefer to focus their resources further down the attack chain, where profits are higher. In return, Initial Access Brokers can generate consistent returns while taking on a relatively low-risk portion of the attack.” 

Dave Bittner: Insider Threats also pose a risk to financial institutions. The insiders could be contractors, employees of third-party organizations, or even employees in the bank itself. SearchLight provides examples of insiders being recruited for malicious attacks, and even requesting assistance from cybercriminals on how to conduct such an attack. 

Dave Bittner: Both insiders and initial access brokers could compromise supply chains. Banks are usually massive organizations providing services to various industries and companies. SearchLight Cyber recommends that all bank cybersecurity teams monitor the dark web for such threats.

Report: WhatsApp accounts may be at risk.

Dave Bittner: Security researcher Jake Moore tweeted that it appears to be possible to deactivate any WhatsApp account by simply emailing the company. If a user emails the phrase “Lost/Stolen:Please deactivate my account” along with the account’s phone number, the service will temporarily deactivate the account. Moore found that the request can be sent from any email address. The account can be reactivated if the user logs back in within thirty days, but Moore points out that someone could write a script that continually emails deactivation requests. Forbes notes that WhatsApp appears to have suspended the automated deactivation of accounts, and is now requiring users to send a phone bill to verify their ownership of the account.

Spyware vendors added to US Entity List.

Dave Bittner: The US Commerce Department’s Bureau of Industry and Security has added four organizations to the Entity List for their role in trafficking in commercial spyware: Intellexa S.A., based in Greece, Cytrox Holdings Crt, in Hungary, and their related subsidiaries Intellexa Limited (Ireland) and Cytrox AD (North Macedonia). The designation, which the State Department explained was "based on a determination that the companies engaged in trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide," prohibits US organizations from doing most forms of business with the companies.

Skirmishes in the cyber phases of Russia's war.

Dave Bittner: Skirmishing continues in the cyber phases of Russia’s hybrid war against Ukraine. And it remains the nuisance-level stuff we’ve grown to expect from the auxiliaries and opportunists.

Dave Bittner: A Russian medical laboratory has suspended services as it recovers from a ransomware attack. It's unclear, the Record reports, whether the attack was politically or financially motivated. Either is possible, as is an admixture of the two motivations. Should it prove to be an attack in the Ukrainian interest, it would be difficult to justify as a legitimate operation--medical facilities and organizations are under most circumstances prohibited targets under international norms of armed conflict.

Dave Bittner: On the Russian side, the Russian hacktivist auxiliary NoName57 is said to have claimed responsibility for distributed denial-of-service (DDoS) attacks against New Zealand's Parliament and Law Commission.

Dave Bittner: And the Russian cyber auxiliary groups UserSec and Anonymous Russia have announced a DDoS campaign against airports in the UK. Both groups announced the attack simultaneously on Telegram, stating that “Anonymous Russia is uniting for an attack on airports in Great Britain! In our sights is the sleeping international UK airport Birmingham! God save Russia!” Anonymous Russia also posted a link to Check.host.net which showed the airport's front page as being down. At the time of writing, however, the Birmingham site seems to be up and available.

How do you demobilize cyber forces (especially the auxiliaries)?

Dave Bittner: And, finally, what do you do with soldiers once the war is over? Sure, most just want to go home, but some have trouble readjusting.

Dave Bittner: Friends of Europe thinks that, whatever the outcome of Russia's war proves to be, when it's over, it will be difficult to know what to do with the cyber operators on both sides. Many of them have been loosely controlled, and there's no precedent for standing down what amounts to a cyber army. "Textbook peacemaking relies on the so-called ‘DDR’ methodology: demobilisation, disarmament and repatriation," the Friends of Europe point out. "Incomplete DDR is often the fastest road to endless and nasty violence. For failing to demobilise elite navy commandos, Mexico has been plagued with the Zetas, who have turned out to become the backbone of drug rings. For failing to repatriate, eastern Congo has been an open-air nightmare for the past 30 years. For failing to properly disarm all belligerents, former participants of the Yugoslav Wars have been fuelling European gangs with all sorts of weaponry." 

Dave Bittner: Dismantling conventional forces can be challenging enough, but in principle the necessary steps are clear enough. But cyber forces are difficult to identify, their tools difficult to locate and disable, and both the operators and their tools can find ready postwar employment in the cyber underworld. The end of the war in Ukraine, when it comes, and it eventually will come, will see a large number of keyboard warriors adrift. Some of them will readjust, but many others may find themselves more comfortable staying in the lower bands of the spectrum of conflict.

Dave Bittner: Coming up after the break; Verizon's Chris Novak shares insights on Log4j from this year's DBIR. Our guest is Candid Wüest of Acronis discussing the findings of their Year-end Cyberthreats Report. Stay with us.

Dave Bittner: The team at security firm, Acronis, recently published their Cyberthreats Report for the year ending in 2022, reporting on the threats they're tracking and the challenges organizations are facing when dealing with those threats. Candid Wüest is vice president of research at Acronis, and he joins us with highlights from the report.

Candid Wüest: Ransomware is still a big and devastating attack which is still happening, but we also saw over the last few years already kind of the shift over to data [inaudible], so nowadays it's more about kind of privacy or data breach. And no longer just about the data disruption. So that's one of the main things that we saw, and of course on the other hand, also attacks against authentication, like MFA Fatigue, so MFA, multifactor authentication, on its own is no longer good enough and of course we've seen other mess ups like browsers syncing passwords that enable attackers to get into companies like Cisco and others. So those are the things that we have seen, and probably will see for the future as well.

Dave Bittner: Was there anything in this year's report that was unusual or surprising?

Candid Wüest: I mean, I mean being too long for the industry probably not too much is surprising. But I still think that it's interesting to see kind of the shift towards, I would call it living off your infrastructure to where attackers actually go after service providers and managed service providers, and attack them to get into their systems, and then use their deployment tools and remote managing tools to deploy their ransomware or other malware. So that's something that we see more and more as of course the attackers, they seek to the weakest link as well and unfortunately that's sometimes your service provider.

Dave Bittner: What are we seeing in terms of longer term trends? As you all look at this year after year, does anything stand out?

Candid Wüest: I mean, we're already four months in, well three and a half maybe to be precise, for 2023, so of course the whole AI with ChatGPT and others, is probably a thing that we have to recognize for this year. So that's something that we have already seen playing out. I'm happy to dive into details on where we see them using ChatGPT and other artificial intelligence models to create phishing and malware and other things. So that's probably going to keep us busy for this year, and another topic is the whole cloud and API security, which is of course also out there and many companies still kind of ignoring it, unfortunately.

Dave Bittner: What are your recommendations then, based on the information you've gathered here for organizations to better protect themselves?

Candid Wüest: Quite funnily, it's actually kind of reducing the complexity. So something which sounds very basic, right, but unfortunately we have seen that companies, no matter if they're small or large, usually just try to add another point solution to the whole mix and we did a survey last year, to ask how many security solutions are you running in parallel, and the response was that 22 percent of the companies are using more than 10 security solutions in parallel. So that's security solutions like spam filters, antivirus, EDR, XDR, and so on. And of course that means that most of the times this will reduce your kind of exposure probably, but also increase the complexity and lead to human errors. As we all know, if there's too many solutions, they don't really play well to each other so there's a high chance that you will make some mistakes and unfortunately, those are the ones that the actors are using. So reducing complexity can help you actually increase your resilience and it also saves you some costs, because now you don't really have to bother about all the different vendors.

Dave Bittner: How do you suggest that folks go about doing that? I mean it strikes me that everybody is afraid to get rid of that tool and then the breach happens and somebody says, well why did you get rid of that tool? That one may have been the one that would have stopped the breach.

Candid Wüest: Yeah, it sounds kind of counterintuitive, right? Kind of reducing some of the tool [inaudible] that you have, and yes, it might be scary at the beginning, but very often you actually already pay for a lot of things which overlap. Right? So you might have some antivirus, you might have some vulnerability assessment, and usually you can only use one of the tools. Very often it doesn't really make sense to have overlapping tools because they might even generate some issues for you. So those are the simple ones to reduce, and it's also very simple to kind of help with the automation if you reduce the complexity. Because nowadays, nobody has enough resources, probably also not enough expertise in the house, right? So, we can either use external services and kind of use MDR services, or outsource everything to your service providers. Or, of course, you automate it to be efficient in the things you do. And for that, it definitely helps to reduce it. So, it might sound a bit scary at the beginning, but once you have a nice plan, it actually all makes sense.

Dave Bittner: Yeah, you mentioned AI and indeed there's a lot of hype around that right now. To what degree do you think the hype is overstated or should security professionals be concerned?

Candid Wüest: Yeah, it is definitely kind of the elephant in the room now, being it's ChatGPT or any large language models that we have at the moment. To be honest, I'm not afraid of seeing any terminator like ransomware any time soon. It has shown that yes, you can use ChatGPT and others, LLMs, to generate malware, to generate phishing emails and other things, but the malware which is generate is not that sophisticated. Very often it actually doesn't really run and we don't expect any of the more sophisticated groups don't even think about the APT groups to use it to their advantage because simply it doesn't really help them too much. But, of course yes, it will enter or will allow more cybercriminals to enter the field so we will see a boost in probably the frequency of attacks and the volumes of attack, which we all know some people still fall for even the simple spam and phishing emails. So, this is something to keep in mind, but on the detection side, I mean no matter how it is generated with an AI model, if you're looking for sophisticated things like behavior heuristics, you can still detect it, right? Because in the end, you want to see does someone encrypt your data? Does someone steal your bitcoin wallet? And those are the things you cannot really hide no matter how much AI you use. So, I think it is slightly over stated but of course, on the defender side, you should definitely use AI and it has been used for many, many years already because it is very easy and helpful in defining anomalies in your data.

Dave Bittner: That's Candid Wüest, from Acronis.

Dave Bittner: And it is always my pleasure to welcome back to the show, Chris Novak. He is the managing director for cybersecurity consulting with Verizon Business. Chris, welcome back. You and I have been going through some of the specific elements of this year's Verizon DBIR. I want to talk about Log4j, and sort of the-- is it fair to say the long tale that we're experiencing with that?

Chris Novak: Absolutely, yeah, thanks Dave. And yeah, Log4j is definitely, I don't know if I want to say it's the gift that keeps on giving, it's, I think it has started to kind of peter out a bit in terms of interest, but I think there's a lot of really substantial data that we've gathered on it and it attracted just probably by far the most media attention that we've seen around a specific vulnerability in as long as I can remember.

Dave Bittner: Well, let's dig into some of that data. What are some of the things you highlight in the report?

Chris Novak: Sure, so I think one of the things that was probably most surprising to us, we actually kind of went back and reworked the data, just to make sure it was correct, was that more than a third of all of the scanning activity to look for Log4j vulnerable systems, happened within the first 30 days of it becoming publicly known. More than a third in 30 days, and in fact, the majority of it, the biggest spike in activity occurred within the first 17 days. And so, you know, there's a number of takeaways that come out of that, that I think are worth highlighting and that is one, great to see the defense looking for it, but obviously a big portion of that also is the offense. We know that just about as fast as Log4j became known in the wild as being vulnerable, we saw exploit code out there looking to take advantage of it.

Dave Bittner: Is it fair to label that, like a threat actor gold rush, that they want to be the first ones to be able to exploit this on a vulnerable system?

Chris Novak: I think, you know, partially, I think part of it is they looked at it as this is a very target rich environment, I think there was a number of things that contributed to it, one was as I spoke with CISOs and security teams all across the globe when this was happening, the big thing that they all said was, "Oh, my God, I know we have to have this in our environments, I know it's going to be here, my biggest concern is; I don't know where." Because most every security team out there has got a catalog of kind of the macro level applications and systems that they run, or at least many do, there's obviously still that are still working on this. But many of them never have gone down to that next level kind of, where we would talk about things like software build materials and say kind of, you know, what are the ingredients that are inside these things in the event we discover that something is vulnerable. So there was a mad rush, both on the defensive side to just try to figure out where the heck is this in our environment, and then obviously there was the rush on the offensive side by the malicious threat actors going, this is perfect, they're all scurrying around trying to figure out where their vulnerable systems are, let's go see if we can find them first.

Dave Bittner: Do you have a certain amount of empathy for the folks who are out there and still may not be 100 percent aware that they could have this vulnerability lurking somewhere in their systems?

Chris Novak: Oh, I have a lot, yeah. And I think that there's definitely a good bit of this still out there and it's actually interesting when we looked at the data, we saw that when it first become known, you saw a spike in looking for it, and then you saw, in terms of we've got a lot of data in the report around kind of vulnerability management information. You saw a lot of these vulnerabilities get patched relatively quickly, or addressed in some mitigating way, relatively quickly and you see the number of vulnerable systems drop, you know, very, very fast. But then interestingly you see it pick back up again. And we have a look and we go, what the heck? Are you telling me that there's people out there who are actively deploying vulnerable systems with Log4j? And what it ended up being was lots of organizations scurried to address the problem so quickly in their production environments, but they forgot to address it in their backup environments, their DR environments, you know, their gold standard images and so, as systems naturally rolled over, restored from backup as part of other procedures, what they were finding was systems they thought were fixed, as it rolled a backup and restored something, they'd actually be bringing back vulnerable Log4j instances back into their production environments and they'd be rediscovering them again. And so we kind of saw almost like this decaying sign wave over time where we'd see it would get knocked down, it would come up again. Get knocked down and come up again. And each time the peak would get a little bit lower, but we'd see this kind of phenomenon happen, and obviously threat actors going after all of those as well.

Dave Bittner: I mean we know that the threat actors are out there looking for this. If I'm trying to defend my system, is there a-- can automation be my friend here? Is there something I can deploy that can be trying to get ahead of the threat actors and looking for it for my sake?

Chris Novak: Yeah, so I think there's a couple things; one, there's definitely great technology out there for looking for this, I know that you know, when we get called in by clients to help them with exactly these kind of problems, there's a whole host of technology solutions that can be deployed to look for the vulnerable libraries. So, you know, definitely folks should know that it does exist and if they're struggling with it, you know, definitely reach out, it's something to-- worth discussing, because you can find those libraries in the environment, you can identify the vulnerable applications. The other thing also that we've seen a dramatic uptick in is increasing adoption of software build materials. Now it's by far not perfect, but we're getting closer every day and even the U.S. Government and others are starting to kind of step in and say hey, we see the value in having something like this, and you know, for those who may not be familiar, I kind of say, it's almost like think of it as like the ingredients list in your food, right? Everything you buy, you look on the package and it's got a list of ingredients and typically a list of allergens. And if you have a particular allergy to something, or if there is an ingredient that we know is dangerous or harmful, it makes it very easy for us to identify whether or not that is in you know, one of our packaged food products. And so we're kind of starting to see more of an adoption of that as it relates to software packages as well, because there's so many different developers out there that may source different libraries and packages from other places. So having visibility into that through something like a software build materials is another great way to kind of understand where that risk might be.

Dave Bittner: Yeah. Alright, well Chris Novak is managing director for cybersecurity consulting at Verizon. Chris, thanks so much for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast, you can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire, are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment; your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening, we'll see you back here tomorrow.